Software products (such as computer programs) can be perfectly reproduced in an infinite number of copies. This is a major concern for publishers of the products wishing to protect their intellectual property rights; indeed, the publishers typically receive a royalty for a licensed use of each product, so that any unaccounted use or distribution of the product results in unpaid royalties. The problem has been exacerbated in the last years by the widespread diffusion of the Internet, which further facilitates the uncontrolled distribution of this kind of products.
The most straightforward way of avoiding unaccounted usage of the products is that of preventing unauthorized copying and transmission. For example, some products embed control code that limits the number of copies that can be made or disables operation of the products after a predetermined period of time has lapsed. Another technique consists of requiring possession of a software or hardware key for running the products. A different solution consists of modifying each product to include a call to a licensing management system. Every time the product is started, a corresponding request is transferred to the licensing management system. The licensing management system verifies whether the usage of the product is authorized. If the result of the verification is positive, the product can continue its execution; otherwise, the product is forced to stop.
Once the execution of a product has been detected, the system can just meter the usage and monitor the execution or can allow or prevent the execution according to available licensing conditions. In the first case it is a pure metering system, while in the latter it is a controlling system.
An example of a state of the art license management system available on the market, is the License Use Management product of International Business Machines Corp.
The fact that a license management system is monitoring the use of a given software program should be as transparent as possible to the users of that software program whereas it should be evident and beneficial to the administrator of licenses for that and other software programs. This consideration places a strong requirement on the license management system in terms of reliability and performance. The ideal license management system should be one which never causes software program failures because of its outage nor becomes a bottleneck for the software programs that it monitors.
In a typical licensing system, all the terms and conditions of the products' license agreements are defined in encrypted license certificates. These certificates may be managed by a license server, in case of licenses shared among multiple clients on a network, or by a local agent in case of licenses for stand-alone applications locked to a specific node. In any case, the information contained in the certificate is permanent and must be kept on disk at least until the date of expiration indicated in the certificate itself. This introduces typical security and data integrity issues that can be addressed exploiting well-known encryption and cryptographic techniques. Another risk is the duplication of the license information by copying the license certificate on another system. For this reason the license certificate often also brings the indication of the unique system where it is valid and/or it can be installed: typically a secure identifier of the system for which it was explicitly generated, like a serial number derived from some hardware source.
However, when two or more databases of certificates must be kept in synch, because licensing information need to be spread over two or more systems, other potential security breaches must be taken into account.
Consider a scenario where license certificates are stored on a license server to which the network clients can connect. The license certificates can be shared among multiple network products according to their actual usage, for example using concurrency criteria. The licensing system can also give some users the capability to reserve licenses in an exclusive manner for a certain period of time, so that these users can disconnect from the network and keep running the licensed products on portable devices. In this scenario, information about the granted reservation and a portion of the original license agreement data must be stored on the client workstation, for example in the form of a new license certificate. The license server itself must keep information about all the outstanding reservations, so that a license already reserved cannot be granted to another user for the whole period of reservation. The licensing system can also give the possibility to such users to interrupt the reservation at any time, informing the license server that the license is available again for other users. This operation could be done as soon as the client restores its connection to the network.
If the end user discovers where the local copy of the certificate is stored on his disk, he could make a copy of it before returning it to the license server. In this way he could make an unauthorised use of the license. Simply, he could give the license back to the server, so that it could be reserved by another user, and keep working with his license just restoring the saved copy. There would be real license usage duplication, the main problem that a licensing system aims to avoid. By iterating this process, a malicious customer could make several reservations out of a single license that was intended for a single usage only.
Storing information on a file (or database) is not enough secure, even if this file is hidden, encrypted and valid only on a single system. Information persistency is however fundamental.
In a more general scope, the same problem occurs each time sensitive information must be protected from unauthorised use or malicious exploitation. As an example, there are cases where maintaining e.g. confidential information on disk when the system is up and running is insecure, mainly because files on hard drives can be more easily accessed by intruders from the Internet. Examples of confidential data are all personal information, such as names, addresses, social security numbers, credit card numbers and health information. Another example is the file of the passwords, which is usually kept by the users on a normal file on the hard disk. Unauthorised disclosure may be caused by a system weakness or by a human error (an employee might by mistake move confidential data to a folder that is not secure). Anything that is stored into a database can potentially be compromised intentionally or unintentionally. Even if the information is encrypted, data integrity is at risk: for instance, data could be deleted without needing to interpret their contents.
Known solutions to keep sensitive information permanent on a system are always based on files written on disk: e.g. hidden flat files, Windows Registry entries or encrypted databases. No matter what solution is chosen, it's always rather easy for a medium skilled user to discover where the information is stored and to save a copy of it for a later reuse. Normal access control techniques do not apply here because the Windows user may actually be the administrator of the system, with the highest permissions available. Cryptography does not provide a solution, because the simple act of copying a file or database as a whole and to restore it in another moment, without any need to interpret its content, is what we need to prevent.
It is an object of the present invention to provide a method and a system which alleviates the above drawbacks.